Evaluating Password Composition Policy and Password Meters of Popular Websites

Kyungchan Lim, Joshua H. Kang, Matthew Dixson, Hyungjoon Koo, Doowon Kim

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

1 Scopus citations

Abstract

Password-based authentication is one of the most commonly adopted mechanisms for online security. Choosing strong passwords is crucial for protecting ones' digital identities and assets, as weak passwords can be readily guessable, resulting in a compromise such as unauthorized access. To promote the use of strong passwords on the Web, the National Institute of Standards and Technology (NIST) provides website administrators with password composition policy (PCP) guidelines. We manually inspect popular websites to check if their password policies conform to NIST's PCP guidelines by generating passwords that meet each criterion and testing the 100 popular websites. Our findings reveal that a considerable number of web sites (on average, 53.5 %) do not comply with the guidelines, which could result in password breaches.

Original languageEnglish
Title of host publicationProceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages12-20
Number of pages9
ISBN (Electronic)9798350312362
DOIs
StatePublished - 2023
Externally publishedYes
Event44th IEEE Symposium on Security and Privacy Workshops, SPW 2023 - San Francisco, United States
Duration: May 22 2023May 25 2023

Publication series

NameProceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023

Conference

Conference44th IEEE Symposium on Security and Privacy Workshops, SPW 2023
Country/TerritoryUnited States
CitySan Francisco
Period05/22/2305/25/23

Funding

We thank the anonymous reviewers for their constructive feedback. The authors gratefully acknowledge the support of NSF (2210137). This work was supported by Science Alliance’s StART program and a gift from Google exploreCSR, and partly supported by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korean government (Ministry of Science and ICT) (No. 2022-0-01199; Graduate School of Convergence Security (Sungkyunkwan university)). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsor.

Fingerprint

Dive into the research topics of 'Evaluating Password Composition Policy and Password Meters of Popular Websites'. Together they form a unique fingerprint.

Cite this